From

Thank you

Sorry

I work for a large international company. As with most businesses, security is a priority, but our biggest security threat is our users, who for some reason cannot remember the basics: their usernames and passwords.

As I hit the Save button on the latest change in our password policy, I'm amazed it's come to this. We, the IT professionals in charge of maintaining our network, have given in to the whining and complaining of our users and changed a policy purely based on their inability to follow it.

Now, instead of four failed login attempts locking a user out for four hours, we have changed to seven attempts and a one-hour lockout. Granted, the initial setting was unforgiving, but it came as a recommendation from a security analysis service that was paid a great deal of money by management.

Given the amount of locked accounts every morning, we had to make a change before we started getting accused of stifling sales with our stringent password policies.

What's next? Do we just stop using passwords altogether because people complain they have too many of them and they're too difficult to remember? Do we switch to fingerprint login for all computers? Is it time to take a serious look at retinal scans? Where do we draw the line?

Our users are far from dumb, mind you. Most of them are highly skilled CAD engineers or field sales reps where some high-tech machinery skills are required. They need a computer every day like the rest of us. It's more than just a convenience; they rely on laptops, tablets, and smartphones to do their jobs.

Yet the idea of changing passwords or even remembering proper login combinations is simply lost on many of them. Securing our network is practically pointless -- their passwords are on sticky notes on their laptop screens!

It's one thing to be sensitive to the user's needs, but what does it mean when they're so inept that it forces us to change policy? We often hear from users complaining that they have too many passwords. Well, the various systems you use for your job require them. (You remember your job, don't you -- that place that pays your bills?) We can't help the fact you also have usernames and passwords for your bank, your kid's school, your Amazon account, and nine other websites you log in to everyday.

The final straw this week was the rollout of two new company websites. These sites offer access to testing and reporting data via the aforementioned computer, tablet, and smartphones that would otherwise not be available. Due to their international connectivity, one site must meet a highly secure compliance login, while the other ties in to our domain using our standard domain credentials.

As you might have guessed, it was not a pretty rollout and resulted in plenty of locked accounts.

We do our best to communicate articulately to our users. We recommend changes to systems and policies that are confusing and/or inefficient. We're sensitive to the fact that our users are not IT people. We've even implemented single-sign-on technologies to help keep passwords to a minimum.

However, size and budget allow for only so much. At what point does the responsibility fall on the user to simply remember the usernames and passwords they need to do their job? A breach of security hurts everyone. We in IT can only do so much to help. At some point, users need to be responsible for themselves.

Do you have a tech story about supporting users? Send it to offtherecord@infoworld.com, and if we publish it, you'll receive a $50 American Express gift cheque.

Who is Anonymous? It's you, the IT pro, who shares true experiences from the job. Since 2005, the many Anonymous writers have entertained and commiserated with peers through stories of personal blunders, coping with poor managers, trying to communicate with users, and resolving tech problems. Submit your story, and if we publish it in the Off the Record blog we'll send you a $50 American Express gift cheque -- and, of course, keep you Anonymous.